CVE-2024-1638: 
NixOS vulnerability analysis and mitigation

CVE-2024-1638 is a security vulnerability discovered in the Zephyr Project's Bluetooth implementation affecting versions up to 3.5.0. The vulnerability relates to improper enforcement of Bluetooth characteristic LE Secure Connection (LESC) security requirements. The issue was disclosed on February 19, 2024, and involves the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC permission flags not being properly enforced unless combined with additional permission flags (Zephyr Advisory).

The vulnerability stems from the implementation of Bluetooth GATT permissions in the Zephyr RTOS. When BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC flags are used alone without additional permissions (BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN for read or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN for write), the stack fails to perform permission checks on these characteristics. The CVSS v3.1 base score is 9.1 (Critical) according to NVD, while the Zephyr Project assessed it at 8.2 (High) (NVD).

The vulnerability allows unauthorized access to read and write operations on Bluetooth characteristics that were intended to be protected by LE Secure Connection encryption. This security permission bypass affects applications that assumed the LESC permission defines work independently without combining them with other defines (Zephyr Advisory).

The issue was addressed in pull request #69170 in the main branch. Users should ensure that LESC permission flags are always combined with appropriate encryption or authentication permission flags (BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN for read operations or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN for write operations) (Zephyr Advisory).